auth: expose ErrBadCreds to check for expected errs (#218)

* auth: expose ErrBadCreds to check for expected errs * use gocenter temporarily * just kidding gocenter doesn't support branch gets * trigger build
nytimes · Jun 12, 2019 · 4dd11b5 · 4dd11b5
1 parent 7e4d613
commit 4dd11b5
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/auth/gcp/identity.go b/auth/gcp/identity.go
@@ -144,7 +144,10 @@ func (s IdentityClaimSet) BaseClaims() *jws.ClaimSet {
 func IdentityClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error) {
 	var cs IdentityClaimSet
 	err := json.Unmarshal(b, &cs)
-	return cs, err
+	if err != nil {
+		return cs, errors.Wrap(auth.ErrBadCreds, err.Error())
+	}
+	return cs, nil
 }
 
 // IdentityVerifyFunc auth.VerifyFunc wrapper around the IdentityClaimSet.

diff --git a/auth/keys.go b/auth/keys.go
@@ -60,9 +60,12 @@ func (ks PublicKeySet) Expired() bool {
 
 // GetKey will look for the given key ID in the key set and return it, if it exists.
 func (ks PublicKeySet) GetKey(id string) (*rsa.PublicKey, error) {
+	if len(ks.Keys) == 0 {
+		return nil, errors.New("no public keys found")
+	}
 	key, ok := ks.Keys[id]
 	if !ok {
-		return nil, errors.Errorf("key [%s] not found in set of size %d", id, len(ks.Keys))
+		return nil, errors.Wrapf(ErrBadCreds, "key [%s] not found in set of size %d", id, len(ks.Keys))
 	}
 	return key, nil
 }

diff --git a/auth/verify.go b/auth/verify.go
@@ -4,12 +4,12 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"net/http"
 	"strings"
 	"time"
 
 	httptransport "github.com/go-kit/kit/transport/http"
+	"github.com/pkg/errors"
 	"golang.org/x/oauth2/jws"
 )
 
@@ -22,6 +22,11 @@ type Verifier struct {
 	skewAllowance int64
 }
 
+// ErrBadCreds will always be wrapped when a user's
+// credentials are unexpected. This is so that we can
+// distinguish between a client error from a server error
+var ErrBadCreds = errors.New("bad credentials")
+
 var defaultSkewAllowance = time.Minute * 5
 
 // ClaimSetter is an interface for all incoming claims to implement. This ensures the
@@ -81,7 +86,7 @@ func (c Verifier) VerifyRequest(r *http.Request) (bool, error) {
 func (c Verifier) Verify(ctx context.Context, token string) (bool, error) {
 	hdr, rawPayload, err := decodeToken(token)
 	if err != nil {
-		return false, err
+		return false, errors.Wrap(ErrBadCreds, err.Error())
 	}
 
 	keys, err := c.ks.Get(ctx)
@@ -96,7 +101,7 @@ func (c Verifier) Verify(ctx context.Context, token string) (bool, error) {
 
 	err = jws.Verify(token, key)
 	if err != nil {
-		return false, err
+		return false, errors.Wrap(ErrBadCreds, err.Error())
 	}
 
 	// use claims decoder func
@@ -113,7 +118,7 @@ func (c Verifier) Verify(ctx context.Context, token string) (bool, error) {
 	}
 
 	if nowUnix > (claims.Exp + c.skewAllowance) {
-		return false, errors.New("invalid expiration time")
+		return false, errors.Wrap(ErrBadCreds, "invalid expiration time")
 	}
 
 	return c.vf(ctx, clmstr), nil